b"  Audit of NARA\xe2\x80\x99s Capital\n\n Planning and Investment\n\n  Control (CPIC) Process\n\n\n\nOIG Audit Report No. 14-08\n\n\n\n      April 17, 2014\n\n\x0cTable of Contents\n\n\n\nExecutive Summary ........................................................................................ 3\n\n\nObjectives, Scope, Methodology .................................................................... 6\n\n\nAudit Results ................................................................................................... 7\n\n\nAppendix A \xe2\x80\x93 Revised CPIC Process ........................................................... 17\n\n\nAppendix B \xe2\x80\x93 Acronyms and Abbreviations ................................................ 18\n\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report ................................. 19\n\n\nAppendix D \xe2\x80\x93 Report Distribution List ........................................................ 20\n\n\x0c                                                                           OIG Audit Report No. 14-08\n\n\nExecutive Summary\n\nThe Clinger-Cohen Act (CCA) requires the head of each executive agency to design and\nimplement a process for maximizing the value and assessing and managing the risks of\ninformation technology (IT) acquisitions. A Capital Planning and Investment Control (CPIC)\nprocess addresses these requirements by integrating the planning, acquisition and management of\ncapital assets into the budget decision-making process. The CPIC process is intended to assist\nagency officials and project managers in improving asset management and in complying with\nrequirements so that agency mission goals may be achieved and citizens are better served.\n\nThe objective of this audit was to determine whether the National Archives and Records\nAdministration\xe2\x80\x99s (NARA) CPIC process and procedures were adequate, efficient, and in\nadherence with governing NARA policy as well as applicable federal laws and regulations. We\nfound NARA has not been following its formal, documented CPIC policy since approximately\nMarch of 2013. In addition, we identified several projects that bypassed NARA\xe2\x80\x99s CPIC process\nwhen NARA Directive 801, Capital Planning and Investment Control (Directive 801) was\ncurrent. We also identified several projects that did not complete all of the elements required by\nNARA\xe2\x80\x99s CPIC process. The projects that did not go through NARA\xe2\x80\x99s CPIC process did so\nbecause NARA\xe2\x80\x99s Office of the Chief Information Officer chose to bypass CPIC, NARA\xe2\x80\x99s CPIC\nstaff improperly approved a project without requiring it to go through the CPIC process, or\nNARA staff in the program offices responsible for a project did not notify CPIC staff of the\nexistence of the project. When projects bypass NARA\xe2\x80\x99s CPIC process and fail to follow CPIC\nrequirements the agency\xe2\x80\x99s ability to optimize the use of its limited IT resources as well as\nminimize risks and maximize returns is compromised.\n\nAccording to NARA\xe2\x80\x99s Director of IT Operations the agency\xe2\x80\x99s CPIC policy, Directive 801, is out\nof date and no longer being followed. In its place, NARA is following a new business process\nflow and governance model that has not been thoroughly documented or promulgated.\nSignificant guidance, such as NARA\xe2\x80\x99s CPIC policy or process, needs to be clearly documented.\nIn addition, this documentation should appear in management directives and be properly\nmanaged and maintained. In the last few years NARA has undergone several transformations,\ndisbanded several governance boards, and instituted new chartered governance boards. This has\nsignificantly altered the means by which IT investments are governed, approved and managed.\nHowever, during this time Directive 801 has not been updated to reflect these changes. An\noutdated CPIC policy that is not being followed increases the likelihood that NARA will be\nunable to optimize the use of IT resources, address its strategic needs, comply with applicable\nlaws and guidance, and adequately manage its IT investment portfolio.\n\nThe deficiencies identified in our audit affect the agency\xe2\x80\x99s ability to properly manage its IT\nenvironment. Our audit identified opportunities for NARA to strengthen its CPIC process.\nOverall, we made nine recommendations to improve NARA\xe2\x80\x99s CPIC process.\n\n\n\n                                               Page 3\n                            National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 14-08\n\n\nBackground\n\nThe National Archives and Records Administration (NARA) must effectively manage its\nportfolio of capital assets, including information technology (IT), to ensure that scarce public\nresources are wisely invested and risks to NARA\xe2\x80\x99s IT environment are minimized. The Clinger-\nCohen Act (CCA) addresses these challenges by requiring each agency to establish a process for\nmaximizing the value and assessing and managing the risks of its IT acquisitions. This process\nshould include minimum criteria to be applied in considering whether to undertake a particular\ninvestment in information systems. These include criteria related to the quantitatively expressed\nprojected net, risk-adjusted return on investment and specific quantitative and qualitative criteria\nfor comparing and prioritizing alternative information systems investment projects.\n\nCCA also places several responsibilities on the Chief Information Officer (CIO) of an executive\nagency. These responsibilities include developing, maintaining, and facilitating the\nimplementation of a sound, integrated IT architecture for the executive agency. They also\ninclude monitoring the performance of IT programs of the agency, evaluating the performance of\nthose programs on the basis of the applicable performance measurements, and advising the head\nof the agency regarding whether to continue, modify, or terminate a program or project.\n\nLegislatively mandated by CCA, the Capital Planning and Investment Control (CPIC) process is\na structured approach to managing IT investments used by all Federal Agencies, including\nNARA. CPIC ensures that IT investments support a business need and align with NARA\xe2\x80\x99s\nmission, strategic goals, and objectives. CPIC also strives to minimize risks and maximize\nreturns throughout an investments\xe2\x80\x99 life cycle. CPIC relies on systematic selection, control, and\ncontinual evaluation processes to ensure the objectives of IT investments are met efficiently and\neffectively.\n\nNARA\xe2\x80\x99s Administration, Policy, & Planning Staff (I-P) is responsible for documenting,\nexecuting, reporting, and managing IT Capital Planning including:\n\n   \xe2\x80\xa2\t Developing policies, standards, guidance, and processes for the selection, control and\n      evaluation of NARA IT investments, programs, systems, and services.\n   \xe2\x80\xa2\t Providing guidance for project managers throughout the IT Capital Planning process, e.g.\n      Pre-Select, Select, Control, and Evaluate.\n   \xe2\x80\xa2\t Coordinating the governance review process for all proposed IT capital investments and\n      ensuring that investments address all IT program management considerations (e.g.,\n      Enterprise Architecture, Security, Data, Privacy, Records Management etc.)\n   \xe2\x80\xa2\t Advising and providing a customer support focus for investment owners and business\n      sponsors.\n\nOn January 30, 2014 NARA issued a task order for CPIC IT activity support. The technical\ndirection letter (TDL) related to this task order requires a contractor to support NARA in\nimplementing and executing the Capital Planning program.\n                                               Page 4\n                            National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 14-08\n\n\nNARA's IT investment management process is detailed in NARA Directive 801, Capital\nPlanning and Investment Control (Directive 801). This directive defines the processes and\nactivities necessary to manage NARA\xe2\x80\x99s CPIC process, which allowed NARA to optimize the use\nof limited IT resources, address NARA\xe2\x80\x99s strategic needs, and comply with applicable laws and\nguidance. However, Directive 801 was out of date by the start of our audit activity.\n\nDuring this audit, NARA\xe2\x80\x99s Director of IT Operations stated that Directive 801 is no longer being\nfollowed. In its place, NARA created a revised capital planning and governance process that has\nyet to be thoroughly documented or promulgated.\n\nA previous Office of Inspector General (OIG) audit identified improvements needed in NARA's\nprocess for investing in IT projects. In 2008 this OIG review found that a NARA IT system,\nwhile viable, was not developed in accordance with agency policies and procedures. The poorly\nplanned project was at risk for costs overruns, not meeting project goals, and not being\ncompleted within schedule. Therefore, successful implementation of the IT project was at risk\nand could have affected the development of many other projects within NARA.\n\n\n\n\n                                             Page 5\n                          National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 14-08\n\n\nObjectives, Scope, Methodology\n\nThe objective of the audit is to determine whether the National Archives and Records\nAdministration\xe2\x80\x99s (NARA) Capital Planning and Investment Control (CPIC) process and\nprocedures are adequate, efficient, and adhere to governing NARA policy as well as applicable\nfederal laws and regulations.\n\nIn order to accomplish our objectives we performed the following:\n\n   \xef\x83\x98 Interviewed NARA staff who oversee the CPIC process, as well as NARA staff who have\n     had projects go through the CPIC process;\n\n   \xef\x83\x98 reviewed applicable laws and regulations;\n\n   \xef\x83\x98 reviewed previously issued audit reports relating to CPIC; and\n\n   \xef\x83\x98 reviewed documentation related to IT investments subject to CPIC requirements.\n\n\nOur audit work was performed at Archives II in College Park, Maryland. The audit took place\nbetween May of 2013 through February of 2014. We conducted this audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\n                                              Page 6\n                           National Archives and Records Administration\n\x0c                                                                                   OIG Audit Report No. 14-08\n\n\nAudit Results\n\n1. NARA\xe2\x80\x99s CPIC Policy Is Not Being Followed.\nAccording to the National Archives and Records Administration\xe2\x80\x99s (NARA) Director of\nInformation Technology (IT) Operations the agency\xe2\x80\x99s Capital Planning and Investment Control\n(CPIC) process policy, NARA Directive 801, Capital Planning and Investment Control\n(Directive 801) 1, is out of date and no longer being followed. In its place, NARA is following a\nnew business process flow and governance model that has not been thoroughly documented or\npromulgated. Significant guidance, such as NARA\xe2\x80\x99s CPIC policy or process, needs to be clearly\ndocumented. In addition, this documentation should appear in management directives and be\nproperly managed and maintained. In the last few years NARA has undergone several\ntransformations, disbanded several governance boards, and instituted new chartered governance\nboards. This has significantly altered the means by which IT investments are governed,\napproved and managed. However, during this time Directive 801 has not been updated to reflect\nthese changes. An outdated CPIC policy that is not being followed increases the likelihood\nNARA will be unable to optimize the use of IT resources, address its strategic needs, comply\nwith applicable laws and guidance, and adequately manage its IT investment portfolio.\n\nNARA\xe2\x80\x99s Administration, Policy, & Planning Staff (I-P) state they plan to issue a technical\ndirection letter (TDL) requiring a contractor to create and deliver a concise interim policy\ndocument to replace Directive 801 which will more accurately describe the current process for\nnavigating the CPIC process. However, the TDL has yet to be issued. I-P advised NARA\xe2\x80\x99s\nStrategy Division that they plan to have a draft of the revisions ready by February 28, 2014.\nHowever, I-P stated during a discussion that delays in awarding TDLs have impacted the\nschedule and the revisions were not ready by that date.\n\nDuring our review we asked several members of NARA\xe2\x80\x99s management team to discuss their\nfamiliarity with NARA\xe2\x80\x99s CPIC process 2. We also asked these individuals to discuss whether\nthey had any IT investments go through the CPIC process and what kinds of issues they have\nexperienced related to the CPIC process. The majority of NARA management had significant\nissues with the CPIC process and believed it needed to be revamped (pages 12, 14, and 15 of this\nreport detail the responses of management). Therefore, with the issues NARA management\nvoiced regarding the CPIC process in mind, it appears that I-P\xe2\x80\x99s efforts to update the CPIC\nprocess by implementing a new business process flow and governance model are warranted.\nHowever, because of the important role the CPIC process plays in managing NARA\xe2\x80\x99s IT\n\n\n1\n The current version of Directive 801 was issued on June 19, 2012 and established revised policy for IT investment\nmanagement. It superseded NARA 801-2, Review of Information Technology Investments, and its supplements dated\nJuly 6, 2006.\n2\n The CPIC process is one aspect of NARA\xe2\x80\x99s Information Systems governance process which also includes the\nArchitecture Review Board and the Systems Development Lifecycle.\n                                                  Page 7\n                               National Archives and Records Administration\n\x0c                                                                                   OIG Audit Report No. 14-08\n\n\ninvestments, as well as the requirements of the Clinger-Cohen Act (CCA), any modifications to\nDirective 801 should have been documented and promulgated.\n\nIn addition, although NARA staff has stated that Directive 801 is no longer current, the\nNARA@Work intranet site has not been updated to reflect this. NARA staff has found the\noutdated information and templates on the CPIC pages of the NARA@Work intranet site very\nmisleading. Indeed, this outdated information has caused NARA staff delays. Thus, I-P needs to\nensure the NARA@Work intranet site is updated in order to provide accurate information to\nNARA staff.\n\nAlthough not formally distributed in the form of a NARA Notice or Directive, a \xe2\x80\x9cquick process\noverview\xe2\x80\x9d was posted to NARA\xe2\x80\x99s Internal Collaboration Network in March of 2013, see\nAppendix A. The overview states that the IT governance process for planning a new investment\nor project is evolving and now has a more upfront focus on the business need, not technical\nsolution, and uses non-technical descriptions to introduce proposed projects to the IT staff. In\naddition, I-P also keeps additional CPIC related information on the Internal Collaboration\nNetwork, including meeting minutes and quad charts 3.\n\nHowever, the new process overview does not address two requirements of CPIC as detailed in\nthe CCA. First, the CCA requires the CPIC process to provide for the selection of IT\ninvestments to be made by the executive agency, the management of such investments, and the\nevaluation of the results of such investments. Second, the CCA also requires the inclusion of\nminimum criteria to be applied in considering whether to undertake a particular investment in\ninformation systems, including criteria related to the quantitatively expressed projected net, risk-\nadjusted return on investment and specific quantitative and qualitative criteria for comparing and\nprioritizing alternative information systems investment projects.\n\nNARA\xe2\x80\x99s revised CPIC process overview, although still evolving, does not require an evaluation\nof IT investments as required by CCA. Furthermore, the revised CPIC process overview does\nnot specifically require a quantitatively expressed projected net, risk-adjusted return on\ninvestment, also required by CCA.\n\nRecommendations\n\nWe recommend NARA\xe2\x80\x99s Chief Information Officer (CIO):\n\n       1.\t Ensure NARA\xe2\x80\x99s documented CPIC policy is updated and formalized to reflect the current\n           processes in use by NARA. This includes:\n\n                a.\t Ensuring any changes to NARA\xe2\x80\x99s CPIC policy are promulgated in the form of a\n                    NARA notice and published on the NARA@Work intranet site.\n\n                b.\t Ensuring all required CPIC related documentation is completed for all NARA IT\n                    investments going through the CPIC process.\n3\n    Quad charts are charts prepared to assist in keeping a project on track.\n                                                       Page 8\n                                    National Archives and Records Administration\n\x0c                                                                                  OIG Audit Report No. 14-08\n\n\n\n             c.\t Requiring the creation and use of a checklist outlining the IT governance related\n                 documentation required to be completed for all IT investments going through the\n                 CPIC process.\n\n    2.\t Require NARA\xe2\x80\x99s updated CPIC policies and procedures meet the CPIC process\n\n        requirements detailed in the Clinger Cohen Act.\n\n\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n2. IT Investment Projects Bypassed the CPIC Review Process.\nDirective 801 describes which IT investments fall under the CPIC process as well as which\ndocuments have to be completed during the CPIC process 4. However, we identified several\nprojects that bypassed NARA\xe2\x80\x99s CPIC process even though these projects met the criteria to be\nincluded. In addition, we also identified several projects that did not complete all of the elements\nrequired of projects going through NARA\xe2\x80\x99s CPIC process. The projects that did not go through\nNARA\xe2\x80\x99s CPIC process did so because NARA\xe2\x80\x99s Office of the CIO chose to bypass CPIC,\nNARA\xe2\x80\x99s CPIC staff improperly approved a project without requiring it to go through the CPIC\nprocess, or NARA staff in the program offices responsible for a project did not notify CPIC staff\nof the existence of the project. When projects bypass NARA\xe2\x80\x99s CPIC process and fail to follow\nNARA\xe2\x80\x99s CPIC requirements, the agency\xe2\x80\x99s ability to optimize the use of its limited IT resources\nas well as minimize risks and maximize returns is compromised.\n\nIT Investments Bypassed the CPIC Process\n\nDirective 801 discusses how the CPIC process strives to define accountability, as well as how all\nparties have clearly defined roles, responsibilities, and expectations to follow the process.\nDespite this guidance, NARA had several projects that were required to, but did not go through\nthe CPIC process. I-P personnel, tasked with oversight of the CPIC process, stated that projects\nthat do not go through the CPIC process can experience difficulties being put into operation.\nTherefore, if the IT investment projects described below had followed NARA\xe2\x80\x99s CPIC process, it\nis possible the difficulties some of these systems experienced could have been mitigated.\n\n    \xe2\x80\xa2\t The Electronic Records Archive (ERA) system is NARA\xe2\x80\x99s primary strategy for\n       addressing the challenge of storing, preserving, and providing public access to electronic\n       records. The total cost to develop the system was over $390 million. The estimated\n       annual cost to operate and maintain ERA is approximately $30 million. The system\n\n4\n Directive 801 was followed from 7/6/06 until 3/29/13. Therefore, some of the IT investments we reviewed fell\nunder the requirements of Directive 801. NARA now follows a new CPIC process.\n                                                  Page 9\n                               National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 14-08\n\n\n   development phase ended September 30, 2011, and ERA is currently in an operations and\n   maintenance phase. ERA as a whole represents a major system acquisition at NARA\n   both in terms of mission criticality and financial resources. Further, it is the largest IT\n   project ever undertaken by NARA.\n\n   A 2008 memorandum to file stated that due to ERA\xe2\x80\x99s current oversight, reporting\n   requirements, and the limited resources within NARA\xe2\x80\x99s CPIC program, ERA does not\n   need to submit monthly reports to the NARA CPIC program. A NARA official, tasked\n   with oversight of the CPIC process, stated that throughout the development phases of\n   ERA, these projects have not been managed through CPIC, but now that ERA is in an\n   operations and maintenance phase, NARA is investigating how to best utilize CPIC for\n   its planning activities.\n\n\xe2\x80\xa2\t NARA\xe2\x80\x99s upgrade to one of the five instances of ERA, the Executive Office of the\n   President (EOP), also did not go through the CPIC process. Because the upgraded EOP\n   system did not go through the CPIC process, staff time spent on procurement activities\n   related to the upgraded EOP system were increased due to additional meetings and\n   related discussions on disconnects with the statement of objectives and in preparing\n   modifications to the original contract. In addition, the opportunity to identify potential\n   issues with the system was diminished. For example, the CPIC process includes a\n   comprehensive selection process where costs, business needs, strategic alignment, cost-\n   benefit analysis, risk and technical requirements are examined. However, because the\n   upgraded EOP system did not go through the CPIC process, these reviews did not occur.\n\n   Indeed, a NARA official tasked with oversight of the CPIC process stated that if the EOP\n   upgrade had gone through NARA's CPIC process they believed at least some of these\n   issues and missing requirements would have been flushed out during discussion and\n   review. As a result of these issues, the value of the contract to upgrade the EOP system\n   increased to over $8.1 million, more than double the value of the original contract.\n\n\xe2\x80\xa2\t Our review of NARA\xe2\x80\x99s License Plate Recognition (LPR) system found that the system\n   did not go through NARA\xe2\x80\x99s CPIC process. Security Management Division (BX)\n   personnel stated that putting projects through processes such as CPIC can end up \xe2\x80\x9ccosting\n   the government more money than not doing them.\xe2\x80\x9d However, the CPIC process serves to\n   ensure projects address NARA\xe2\x80\x99s strategic needs and are properly reviewed before limited\n   NARA resources are invested in them.\n\n   The CCA defines IT as any equipment or interconnected system or subsystem or\n   equipment that is used in the automatic acquisition, storage, manipulation, management,\n   movement, control, display, switching, interchange, transmission, or reception of data or\n   information. Because the LPR system clearly fits within the CCA\xe2\x80\x99s definition of IT, the\n   project should have been planned, reviewed, and approved in accordance with Directive\n   801 requirements. Despite this, NARA expended over $430,000 for an automated LPR\n   system which did not go through the CPIC process, and is not fully functional.\n\n\n                                          Page 10\n                       National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 14-08\n\n\n       I-P personnel, tasked with oversight of the CPIC process, stated the LPR system should\n       have undergone the CPIC process. I-P personnel also stated that the program office is\n       responsible for contacting I-P when new projects are initiated. The program office\n       responsible for the LPR system, BX, failed to notify I-P regarding the initiation of the\n       LPR system.\n\n   \xe2\x80\xa2\t On September 26, 2013 NARA extended a contract to improve communication and\n      integrate effective, live, interactive webcasting service capabilities with the existing voice\n      and data services provided by NARA\xe2\x80\x99s network. This extension brought the total\n      obligated amount on the contract to $165,623. I-P personnel, tasked with oversight of the\n      CPIC process, stated that this project should have gone through the CPIC process.\n      However, the CIO\xe2\x80\x99s Office determined that a CPIC analysis was not needed for this IT\n      service.\n\n       The contractor\xe2\x80\x99s performance under this task order necessitated the issuance of two\n       separate cure notices. The first cure notice, amended and sent on March 4, 2013 was due\n       to the failure of the webcasting solution during a NARA All-Hands meeting. On August\n       14, 2013 the webcasting solution failed for a second time. Thus, another cure notice was\n       sent on September 5, 2013. Again, this project provides another example of a NARA IT\n       investment which bypassed the CPIC process and subsequently experienced difficulties\n       being put into operation.\n\nIn addition to managing the risks of IT acquisitions, the CCA also directs Federal Agencies to\nensure the CPIC process maximizes value. Because of the current budget environment, project\nmanagers now more than ever need to utilize CPIC and its set of management principles and\ntools to select and manage their investments wisely to maximize value to the organization. In\ncontrast to this guidance, we identified several IT investments, discussed below, that bypassed\nNARA\xe2\x80\x99s CPIC process. This is a concern because satisfactory compliance with the requirements\nof the CCA for capital planning and investment control help to ensure senior management is\nprovided with timely and accurate information essential for making informed decisions about\ninvestments that compete for limited resources.\n\nFor example, on September 4, 2013 NARA awarded a contract to order three three-dimensional\n(3-D) printers and three cartridges for these printers at a cost of just under $10,000.\nAdditionally, on July 16, 2013 NARA\xe2\x80\x99s OIG purchased evidence tracking software at a cost of\n$7,617. Finally, on September 30, 2013 NARA awarded a contract to order IT equipment at a\ncost of $1,692,492. Included in this contract was the purchase of 2,287 desktop computers. This\nis despite the fact that as of September of 2012 NARA had only 2,630 full-time employees.\n\nI-P personnel tasked with oversight of the CPIC process stated that they were unaware of the\nevidence tracking software and also stated that this IT investment should have gone through the\nCPIC process. During our audit we reviewed Automated Procurement System (PRISM)\ndocumentation for this IT investment, which included PRISM routing and approval information.\nThis documentation showed that I-P approved the software during the routing process. Thus, I-P\nstaff not only were aware of this project, but they approved it as well.\n\n                                              Page 11\n                           National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 14-08\n\n\n\nAdditionally, we also reviewed PRISM routing and approval information for the 3-D printer and\nIT equipment orders. Again, although these projects did not go through the CPIC process, I-P\nstaff were aware of them based on the fact that these projects were approved by I-P during the\nPRISM routing process. I-P, NARA\xe2\x80\x99s office assigned to oversee the CPIC process, should not\napprove an IT investment unless they ensure the IT investment meets the requirements of the\nCCA.\n\nRecommendation\n\n   3.\t We recommend NARA\xe2\x80\x99s Chief Operating Officer (COO) ensure NARA IT investments\n       do not bypass NARA\xe2\x80\x99s CPIC process.\n\n\nManagement Response\n\nManagement concurred with the recommendation.\n\n\nRequired CPIC Documentation Was Not Completed\n\nDirective 801 details documents that must be completed in order for an IT investment to exit\neach phase of NARA\xe2\x80\x99s CPIC process, which represents one aspect of NARA\xe2\x80\x99s IT governance\nprocess. In July of 2013 we requested all CPIC related documentation for a sample of IT\ninvestment projects. We reviewed whether the required CPIC documentation was completed for\nthis sample of IT investments. We found that 14 of the IT investment projects we reviewed did\nnot complete the required documentation. For example, seven of the IT investments were\nmissing the pre-select submission which is required before an IT investment can exit the CPIC\nPre-Select Phase.\n\nDuring our audit one NARA manager stated that at no point while working on a certain project\ndid they feel that they ever fully understood the requirements of the process, including what\nitems needed to be prepared and what was the required format. In addition, another NARA\nmanager stated that the documents required to be completed related to the CPIC process are\ncurrently buried and a reader must tease out the information. Finally, according to a NARA\nmanager, over the course of eight months, NARA staff asked what CPIC documents needed to\nbe prepared for an IT investment, yet no one was able to provide a comprehensive list of the\ninformation needed in order to get approval. In addition, the office working on this IT\ninvestment was asked to complete several different versions of the same form, and was also\nasked to prepare several documents that were not required at all.\n\nAlthough Directive 801 is no longer followed, NARA should ensure that all required CPIC\nrelated documentation is completed for NARA IT investments. A current handbook, preferably\nwith checklists, would be helpful for business units with IT investments going through the CPIC\nprocess - one that explains the process, the various phases, which documents are required, as\n\n                                             Page 12\n                          National Archives and Records Administration\n\x0c                                                                                OIG Audit Report No. 14-08\n\n\nwell as when they are required. Requiring the use and maintenance of CPIC checklists would\nalso help to clarify the requirements of the CPIC process.\n\nControls Related to the Acquisition of IT Investments\n\nThere are several methods available for NARA staff to request or purchase IT equipment.\nNARA Form NA-8007 can be completed to request desktop software. Similarly, NARA Form\nNA-8008 can be completed to request computer hardware. Staff responsible for software\nrequests stated that of the 750-800 requests they receive a year, almost 99% represent requests\nfor Adobe or Microsoft software, for which NARA has license agreements. Likewise, staff\nresponsible for hardware requests stated that the vast majority of requests for hardware represent\nrequests for general hardware provided from NARA\xe2\x80\x99s centralized inventory at no cost.\n\nIn addition, the purchase of supplies or services not exceeding $3,000 can be made using a\ngovernment purchase card. Specific cardholder responsibilities include, but are not limited to,\nmeeting all cardholder experience and training requirements required by the supplement to\nNARA Directive 501, Government-Wide Commercial Purchase Card and Micro-Purchase\nGuide (Guide), and attending refresher cardholder training every three years and other training as\nrequired. During our review of the Guide, we noted that it did not reference NARA\xe2\x80\x99s CPIC\nrequirements. Adding language discussing CPIC requirements could limit the number of\nprojects bypassing the CPIC process by ensuring NARA staff using purchase cards are aware of\nNARA\xe2\x80\x99s CPIC requirements.\n\nPurchases of supplies or services greater than $3,000 can be made by completing a purchase\nrequest. This request is then processed and approved using PRISM. I-P staff stated they were\nunaware of the existence of at least one project that bypassed the CPIC process. I-P staff also\nstated that each program office sponsoring an IT investment is responsible for contacting I-P\nwhen new projects are initiated. According to I-P staff, if the program office does not initiate\ncontact with I-P, then the likelihood of the project going through the CPIC process is low.\n\nIn order to ensure that I-P is aware of IT investment projects, PRISM includes an electronic\napproval process incorporating I-P. Before IT investment requests containing equipment with a\nbusiness object code starting with 31 can be approved, an automatic email is sent to I-P. I-P staff\nmust then approve the IT investment before PRISM will allow the project to move through the\nsystem. NARA budget staff stated additional business object codes could be added to I-P rather\neasily. In addition, they suggested that adding business object code 257102, Operations and\nMaintenance of Equipment and Software-ADP, would be helpful in ensuring that I-P reviews all\nIT investments falling under CPIC.\n\nAccording to the COSO 5 Internal Control Integrated Framework, incorporating control activities,\nsuch as the I-P approval of IT investments in PRISM requirement mentioned previously, can\nhelp ensure that management\xe2\x80\x99s directives to mitigate risks are carried out. An additional\ncomponent of internal control that can help NARA mitigate risks to acceptable levels, and\nsupport sound decision making is increased monitoring activities. For example, NARA staff\n5\n    COSO represents the Committee of Sponsoring Organizations of the Treadway Commission.\n                                                   Page 13\n                                National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 14-08\n\n\ncould document its approvals of IT investments in PRISM. Ongoing evaluations such as this can\nprovide timely information and can be used to help ascertain whether some or all of the five\ncomponents of internal control are present and functioning.\n\nRecommendations\n\nTo ensure NARA IT investments do not bypass NARA\xe2\x80\x99s CPIC process we recommend:\n\n   4.\t NARA\xe2\x80\x99s Chief Operating Officer ensure that I-P\xe2\x80\x99s approval process in PRISM is updated\n       to include business object code 257102.\n\n   5.\t NARA\xe2\x80\x99s Chief Operating Officer ensure that I-P maintain documentation of its approval\n       of IT investments in PRISM and I-P\xe2\x80\x99s PRISM approval of IT investments is tested on an\n       annual basis with all documentation of this testing sent to NARA\xe2\x80\x99s internal controls\n       group.\n\n   6.\t NARA\xe2\x80\x99s Chief Operating Officer ensure the training guide for purchase card holders is\n       updated to include a discussion of the requirements of NARA\xe2\x80\x99s CPIC process.\n\n   7.\t NARA\xe2\x80\x99s Chief Information Officer distribute a NARA Notice annually to remind\n       employees of their CPIC responsibilities related to the acquisition of IT investments.\n\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\nImprovements to NARA\xe2\x80\x99s CPIC Process\n\nDirective 801 defines the processes and activities necessary to manage NARA\xe2\x80\x99s CPIC process,\nwhich allows NARA to optimize the use of limited IT resources, address NARA\xe2\x80\x99s strategic\nneeds, and comply with applicable laws and guidance. Directive 801 also mandates that the\nCPIC process applies to any project investing new resources for IT, whether or not the IT is at a\nNARA facility, is on the NARA network, or is owned and operated by NARA or operated on\nbehalf of NARA. Directive 801 also establishes investment threshold levels that establish\ndifferent requirements based upon the costs of an IT investment. For example, Directive 801\nrequires a completed Pre-Select submission for all IT investments in the small, medium, and\nlarge investment threshold level categories, whereas only IT investments in the medium and\nlarge categories are required to complete a cost benefits analysis / alternatives analysis report.\n\nDuring our audit, we spoke with NARA management regarding their experiences navigating\nNARA\xe2\x80\x99s CPIC process. Eight of the eleven NARA managers we contacted expressed\ncomplaints with the process. For example, two managers stated that the CPIC requirements for\nIT investments are burdensome. Furthermore, the ways in which NARA\xe2\x80\x99s CPIC process\nmaximizes returns on IT investments can be outweighed by the enormous amount of staff time\n                                              Page 14\n                           National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 14-08\n\n\nand energy that must be invested in order to successfully navigate the process. For instance, in\norder to get approval for an IT investment that was estimated to cost NARA approximately\n$5,000 over five years, a NARA director spent an average of five to ten hours a week for nine\nmonths. Additionally, it took nearly two years to procure a $40,000 records management tool\nneeded to update NARA's records schedule.\n\nThe goal of NARA\xe2\x80\x99s IT governance process, which includes CPIC, is to minimize risks and\nmaximize returns throughout the life cycle of an IT investment. However, Directive 801 created\na non-intuitive, highly burdensome process with little standardization. In turn, this caused the\nCPIC process to be especially daunting for units proposing new IT investments infrequently,\nthereby stifling innovation and risk-taking. Thus, NARA staff found the process to be unclear,\nlengthy, demoralizing, and frustrating.\n\nNARA\xe2\x80\x99s updated CPIC process overview is silent as to the requirements of the various\ninvestment threshold levels for IT investments. However, this updated CPIC process overview\nshould take into consideration management\xe2\x80\x99s comments and experiences with Directive 801.\nNARA should ensure the new process overview better aligns CPIC requirements with the costs\nof IT investments. For example, NARA may wish to develop a less detailed CPIC process for\nsmall dollar investments relative to the agency\xe2\x80\x99s budget. In addition, NARA\xe2\x80\x99s CPIC process\nshould be more transparent and provide better guidance for NARA management and staff to\nnavigate the CPIC process.\n\nRecommendation\n\n   8.\t We recommend NARA\xe2\x80\x99s Chief Information Officer ensure NARA\xe2\x80\x99s IT governance\n       process, which includes CPIC, incorporates the lessons learned when Directive 801 was\n       followed to create a more user-friendly, streamlined and transparent policy where CPIC\n       requirements align closely with the costs of IT investments.\n\n\nManagement Response\n\nManagement concurred with the recommendation.\n\n\nEnforcement Mechanism\n\nIn order to ensure that all IT investments adhere to CPIC requirements NARA should consider\ndeveloping an enforcement mechanism applicable to IT investments funded outside of the\nformalized CPIC process. This enforcement mechanism could mirror NARA Directive 803,\nRequests for New Desktop Software, which describes NARA\xe2\x80\x99s policies when requesting new\ndesktop software and states \xe2\x80\x9canyone purchasing and using unauthorized software may be subject\nto disciplinary action\xe2\x80\x9d. Introducing this policy for both software and hardware would strengthen\nNARA\xe2\x80\x99s CPIC requirements, and make the policy an enforceable document thus giving NARA\nauthority over the CPIC program.\n\n                                              Page 15\n                           National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 14-08\n\n\n\nNARA should consider creating an enforcement mechanism it can utilize when IT investments\nare discovered that have been funded outside of the CPIC process, especially when it appears it\nwas done in an attempt to avoid the CPIC process.\n\nRecommendation\n\n\n   9.\t We recommend NARA\xe2\x80\x99s Chief Operating Officer consider including an enforcement\n       mechanism in any updates to NARA\xe2\x80\x99s CPIC policy.\n\n\nManagement Response\n\nManagement concurred with the recommendation.\n\n\n\n\n                                              Page 16\n                           National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 14-08\n\n\nAppendix A \xe2\x80\x93 Revised CPIC Process\n\nProcess Overview\ncreated by                    on Mar 29, 2013 2:56 PM, last modified by                         on\nJan 8, 2014 10:33 AM\n\n\nThe IT Governance process for planning a new investment or project is evolving.\n\nHere is a quick process overview:\n\nRevised process with more upfront focus on the business need, not technical solution; using the\nnon-technical descriptions to introduce proposed projects to the information technology staff.\n\n1) The process starts with a business need summary. This is reviewed by the Architecture\nReview Board (ARB) to see if there are tools or technologies deployed to meet the need and\nprovide guidance on technical requirements. The ARB meets every Monday at 10am in AII,\nwith a conference bridge.\nBusiness Need Summary - Template\n\n2) An IT Project Manager is often assigned to work with the business unit to incorporate the\nbusiness need summary and ARB feedback and create a business case. The business case\ndocuments the business need, strategic alignment, alternatives considered as well as anticipated\ncosts and benefits.\nBusiness Case - Template\n\n3) Once approved as a project, a quad chart is prepared to assist in keeping the project on track.\nThis is periodically reviewed at IT Project Meetings. These meetings are held on Thursdays at\n1:30 in AII, with a conference bridge.\nQuad Chart - Template\n\n\n\n\n                                              Page 17\n                           National Archives and Records Administration\n\x0c                                                                  OIG Audit Report No. 14-08\n\n\nAppendix B \xe2\x80\x93 Acronyms and Abbreviations\n\n3-D     Three Dimensional\nBX      Security Management Division\nCCA     The Clinger-Cohen Act\nCIO     Chief Information Officer\nCOO     Chief Operating Officer\nCOSO    Committee of Sponsoring Organizations of the Treadway Commission\nCPIC    Capital Planning and Investment Control\nEOP     Executive Office of the President\nERA     Electronic Records Archive\nI-P     Administration, Policy & Planning Staff\nIT      Information Technology\nLPR     License Plate Recognition\nNARA    National Archives and Records Administration\nOIG     Office of Inspector General\nPRISM   Automated Procurement System\nTDL     Technical Direction Letter\n\n\n\n\n                                      Page 18\n                   National Archives and Records Administration\n\x0c                                                                                            OIG Audit Report No. 14-08 \n\n\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report\n\n\n\n\n\n         L   NATIONAL\n            ARCHIVES\n\n\n                   Date:             APR 11 2014\n                   to:              James Springs, Acting Inspector General\n                   From:            David S. Ferriero, Archivist of the United States\n                   Subject:     OIG Draft Audit 14-08, Audit of NARA's capital Planning and Investment\n                   Control (CPIC) Process\n\n\n\n\n                   Thank you for the opportunity to provide comments on this draft report. We appreciate\n                   your willingness to meet and clarify language in the report.\n\n                   We concur with the 11 recommendations in this audit, and we will address them further\n                   in our action plan.\n\n\n\n               ~Dz ~~\n    <===:::<::::\n\n\n                   DAVIDS. FERRIERO\n                   Archivist of the United States\n\n\n\n\n            NATIONA L ARCHIVES and\n            RECORDS ADMINISTRATION\n\n                   8601 ADEI.PHI ROAD\n           COlLEGE PARK. MD 20740-6001\n                     www.arch iYts.goy\n\n\n\n\n                                                            Page 19 \n\n                                         National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 14-08\n\n\nAppendix D \xe2\x80\x93 Report Distribution List\n\nArchivist of the United States (N)\n\nDeputy Archivist (ND)\n\nChief Operating Officer (C)\n\nDeputy Chief Operating Officer (C)\n\nChief Information Officer (I)\n\nExecutive of Business Support Services (B)\n\nDirector, Performance and Accountability (CP)\n\nManagement Control Liaison, Performance and Accountability (CP)\n\n\n\n\n\n                                            Page 20\n                         National Archives and Records Administration\n\x0c"